SBA relying on shared services to improve cyber posture

Chase Garwood, acting CIO, Small Business Administration

The Small Business Administration's technology to-do list is split between
internal and external customers.

But none of its priorities matter if it can't secure those systems. So that's why
the SBA is turning to shared services to meet its cybersecurity demands.

Chase Garwood, the acting chief information officer at SBA, said the agency
already is using the Justice Department's Cybersecurity Assessment and Management
(CSAM) tool to complete its reporting under the Federal Information Security
Management Act. And now it's turning to the Homeland Security Department to
implement continuous monitoring.

"We've had quite a few management challenges from our Inspector General and we
continue to look at those and hit those cybersecurity elements. So a big part of
that in the next six months or so will be in continuous monitoring," he said.
"That's just a capability the agency hasn't been as robust as it could be in the
last couple of years. But now that we are out of the continuing resolution, and
now that we are moving forward for the rest of the fiscal year, we are looking to
get into and deploying and starting to operate our configuration management to
improve our cybersecurity posture, to know what's on our networks, to make sure
that the latest baseline and patches are up to date and moving that forward."

Garwood said SBA made some good progress by deploying over the last year the
802.1x standard to improve its network defense. The standard secures an
organizations network ports by applying access control rules so devices need to
authenticate before they are allowed to log on.

SBA also is looking to partner with DHS U.S. Computer Emergency Response Team
(U.S. CERT) to do penetration testing and implement continuous diagnostics as part
of the continuous monitoring initiative.

Making better use of its data

In addition the DHS for shared services, SBA is buying services from the Treasury
for talent management, and wants to buy a shared service for an online time-and-
attendance system in the coming year.

Getting its computer security in better shape will help SBA better serve a growing list of
internal and external customers.

Garwood said several of his priorities focus on both.

For instance, SBA is moving to Microsoft's Dynamics CRM 2011 from its current
customer relationship management tool.

Garwood said CRM 4 met its needs, but as with any software upgrade there are
benefits and cost savings.

The updated CRM program also opens the door for SBA to improve how it manages and
uses data to meet its mission.

Garwood said SBA is moving to more commercial data management software such as
Microsoft's I-Dashboard and SQL server reporting services and analysis.

"What that means is better ease of use for the enterprise and then the mission
folks for business intelligence," he said. "A big part of it is ease of reporting.
It's all about the data, but then it's also the use of that data. We are going to
more commercial-off-the-shelf solutions and common platforms, instead of what we
normally had in the CIO community, which was running customized reports and
scripts, which take a heavy load on your tier three database administrators and
the other folks, which equates to costs and time motion. If we can off-load that
and make it easier for our business users to run some reports off these COTS
products, that's where we are seeing some great benefits there."

Additionally, Garwood also wants to improve the agency's enterprise architecture,
data governance and data framework to improve how SBA makes the data more usable.

SBA also is moving into the mobile computing space by developing a couple of new
mobile apps to help both employees and small businesses. Garwood wouldn't name the
specific areas the apps would address because they aren't quite ready yet.

SBA also will be renewing its mobile cellular services contract in the coming
year. Currently, it's with Research in Motion's Blackberry.